> Do I understand correctly that you are suggesting that a > CA's namespace file can include rules for all of its > subordinates? (These seems to be what your example implies.) > I actually think I like this idea, see next comment.
That's indeed what I meant. It would enable new subordinates to "glide in" without intervention from the admin, as long as they stay within the namespace assigned for subordinates.
You all might want to look into a sort of movement that seems to exist in some PKIX members. I've picked up some microsoft certs recently that seem to have AIA extensions that jump around missing links in the trust chain (between the end entity cert you have, and the trusted issuer pre-installed in your cert store). Somewhere I have read a justification / method for this but have lost track. But there is at least one example of another variant in a current draft in the IETF PKIX WG: http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-03.txt